Under cybersecurity plan, agencies would answer to DHS

The Homeland Security Department would be put in charge of the security of federal IT systems under proposed legislation sent by the White House to Congress May 12, but would have only limited authority to oversee the security of privately owned critical infrastructure.

The proposal, which administration officials characterized as a starting point for discussions with Congress and industry, clarifies the DHS role as the lead cybersecurity agency with “primary responsibility within the executive branch for information security,” including the power to mandate policies and activities for government systems.

It also creates a regulatory framework for non-government critical infrastructure that requires owners and operators to develop security plans, and would establish a national requirement for notifying people of data breaches.

The plans would be evaluated by accredited auditors and reviewed by DHS. If found wanting, the DHS secretary would discuss the shortcomings with the operators and “take other action as may be determined appropriate.” This action would not include shutdown orders, fines or other monetary penalties or civil penalties, however.

Administration officials said the proposed regulatory framework is an acknowledgment that government does not have all of the answers and that cooperation is likely to be more effective than regulation.

The proposal will likely be reconciled with similar cybersecurity legislation that has been introduced in both the House and Senate.

One element not included in the White House proposal that has been included in other introduced bills is formal establishment of an executive branch cybersecurity officer. President Barack Obama has named Howard A. Schmidt as White House cybersecurity coordinator, but that position does not require Senate approval.

Rather, under the Obama plan, authority for coordinating and overseeing federal information security policy would be given to DHS, which will “develop and conduct risk assessments for federal systems and, upon request, critical information infrastructure.” The proposal would authorize the department to deploy and operate intrusion detection and prevention systems, such as Einstein, on government systems and give the department access to all government traffic.

The department also would establish a cybersecurity center to facilitate information sharing and collaboration among agencies, state and local governments, the private sector and international partners. The center would organize activities under a cybersecurity response plan and disseminate threat information. This essentially formalizes the role now played by the U.S. Computer Emergency Readiness Team.

Under the regulatory framework for critical infrastructure, the department would designate core critical systems whose disruption would pose a threat to the national security or economy, which would be required to maintain approved cybersecurity plans. DHS would “identify specific cybersecurity risks that must be mitigated to ensure the security of covered critical infrastructure; and review and designate frameworks to address such risks.”

The frameworks would be created in consultation with industry standards organizations and used to evaluate security plans. DHS would establish an accreditation for third-party evaluators that would assess the programs, which would then be approved by DHS.

Another requirement for the private sector would be data breach notification. The provision would replace the current patchwork of 47 state laws for notifying individuals when personally identifiable information has been lost, stolen or otherwise exposed.

The requirements would apply to organizations handling the personal information of at least 10,000 individuals a year, and they would be required to personally notify potential victims in the event of a breach, “unless there is no reasonable risk of harm or fraud.” This could be achieved by use of industry best practices and standards such as cryptography to protect the exposed files.

Notification, by mail, e-mail or telephone, would have to be made within 60 days unless a 30-day extension is granted by the Federal Trade Commission for further investigation, or the Secret Service or FBI decides notification would impede a criminal investigation. Companies also would have to notify the Secret Service, FBI and FTC of large breaches.

The FTC would enforce this section, although states would be able to bring civil action for violations.